Cyber Attribution: Problem Solved? Analyzing the Communication of Blame and Evidence for Nation-State Involvement in Cyber Operations, 1998-2018

(1)

MASTER THESIS

Cyber Attribution: Problem Solved?

Analyzing the Communication of Blame and Evidence

for Nation-State Involvement in Cyber Operations, 1998-2018

Author: K.M. (Koen) van den Dool Student Number: S1747525

E-Mail: [email protected] Date: June 6, 2018

Word count: 20237

Supervisor: Prof. Dr. B. van den Berg Second Reader: Mr. S. Boeke

(2)

1

1. Introduction

Image 1: Calvin and Hobbes1

“Cyberspace. A consensual hallucination experienced daily by billions of legitimate operators […] A graphical representation of data abstracted from the banks of every computer in the human system.”2_{This is the original definition of the word ‘cyberspace’, first used by science} fiction writer William Gibson in his book ‘Neuromancer’, published in 1984. 26 years later, the Pentagon defined it as “a global domain within the information environment consisting of the independent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.”3

An important characteristic of cyberspace is the detachment of the physical identity from the technical identity. Digital identifiers such as IP addresses and domain names are not inherently linked to one person or entity in the same way as fingerprints or DNA profiles are. Put differently, strings of digital code in themselves are neutral and replicable. As a result, when trying to identify criminals and aggressors in cyberspace, Bruce Schneier says: “In cyberspace you can’t see anything directly, so it’s all going to be circumstantial.”4

This statement sheds light on one of the core dilemmas that decision makers face when responding to cyber attacks – the so-called attribution problem in cyberspace. A standard

1_{“Calvin and Hobbes by Bill Watterson for Jan 20, 1994,”}_{Go Comics}_{(website), accessed May 22, 2018,} http://www.gocomics.com/calvinandhobbes/1994/01/20.

2_{William Gibson,}_Neuromancer_{(New York: The Berkley Publishing Group, 1984), 51.}

3_{Noah Shachtman, “26 years after Gibson, Pentagon defines ‘Cyberspace’,”}_Wired_{, May 23, 2008, accessed} May 22, 2018, https://www.wired.com/2008/05/pentagon-define/.

(6)

5

dictionary defines “to attribute” as “to explain (something) by indicating a cause”.5 After a violation of the law in the ‘physical’ world, a crime is (ideally) attributed to a criminal based on evidence, which is presented before a court, which may find the criminal guilty beyond any reasonable doubt. In addition, an attack in the context of interstate conflict is generally overt and attributable.6 This process can be complex, but the procedural rules and standards of evidence are relatively straightforward.

Coming to grips with responding to cyber attacks is more problematic, because attribution is more ambiguous when the ‘crime scene’ or ‘battlefield’ consists of globally spread fragments of code. Joseph S. Nye Jr. illustrates the difficulty of cyber attribution by comparing it to conventional deterrence of nuclear attacks:

“Nuclear attribution is not perfect, but only nine states possess nuclear weapons; the isotopic identifiers of their nuclear materials are relatively well known; and although weapons or materials could be stolen by third parties, there are serious barriers to entry for non-state actors. None of this is true in cyberspace, where a few lines of malicious code can be written (or purchased on the dark web) by any number of state or non-state actors.”7

Attributing cyber attacks is an important issue for decision makers, as is explained by Susan Brenner, because knowing who is behind a cyber attack indicates what type of threat one is facing – i.e. terrorism, crime, warfare.8 This, in turn, indicates whether the threat requires a law enforcement response or a national security response.

Although some have called attribution “perhaps the most difficult problem” in cyberspace,9 others are less pessimistic. Thomas Rid, for example, says “there is still this ‘attribution is impossible’ knee jerk reaction”, but “the idea that attribution is not possible doesn’t carry any weight in the technically informed community anymore.”10_{Former top White} House official and co-author of the book ‘Cyber War’ Richard Clarke once said:

5_{Merriam-Webster}_{, s.v. “attribute,” accessed February 8, 2018,} https://www.merriam-webster.com/dictionary/attribute#h2.

6_{Susan W. Brenner, “At Light Speed: Attribution and Response to Cybercrime/Terrorism/Warfare,”}_{Journal of} Criminal Law & Criminology 97, no. 2 (2007): 406-409.

7_{Joseph S. Nye Jr., “Deterrence and Dissuasion in Cyberspace,”}_{International Security}_{41, no. 3 (2016): 50.} 8_{Brenner, “At Light Speed,” 405.}

9_{P.W. Singer and Allan Friedman,}_{Cybersecurity and Cyberwar}_{(New York, NY: Oxford University Press,} 2014), 73.

(7)

6

“With more time, I think we can solve the attribution problem. You can’t find the origin of an attack in real time. But ultimately you can do the forensics if you can hack into all the servers. The NSA [National Security Agency] can do that. And the NSA tells me that attribution isn’t really a problem.”11

If true, one may expect that governments are better able to determine nation-state involvement in cyber attacks and consequently call out those states. However, does this also happen in practice? This question is the point of departure for this thesis. To be more precise, the question I want to answer is: ‘How is nation-state involvement in cyber operations publicly communicated, and to what extent are such claims substantiated by evidence?’

Implicit in this question is not only a substantive objective to answer the question itself, but also a methodological objective to turn the focus in this field of study to empirical observation. Most of the literature on cybersecurity is highly conceptual and hypothetical in nature, requiring what Brandon Valeriano and Ryan Maness call “spectacular flights of the imagination”.12_{They argue:}

“The field of cyber security needs a clear return to social science in order to be able to definitively engage the cyber debate with facts, figures, and theory.”13

To reach this double objective, this thesis is divided in two parts. The first part looks at the existing theoretical literature on cyber attribution to answer the question: If the attribution problem is not a technical problem, what is it instead? Here I conclude that, although the technical problem is not necessarily solved, the extent to which it restricts response depends mostly on what response logic one follows – law enforcement or national security. In the latter approach, assessments with high confidence are sufficient to legitimize response, as opposed to complete certainty, which is required in the law enforcement model. However, without sufficient evidence, convincing others boils down to credibility and authority.

11_{Andy Greenberg, “Security Guru Richard Clarke Talks Cyberwar,”}_Forbes_{, April 8, 2010, accessed May 26,} 2018,

https://www.forbes.com/2010/04/08/cyberwar-obama-korea-technology-security-clarke.html#7bf35589344e.

12_{Ibid, 347. (Other examples include: Kello, “The Meaning of the Cyber Revolution”; Lindsay, “Tipping the} Scales”; Rid & Buchanan, “Attributing Cyber Attacks”; Nye, “Deterrence and Dissuasion”.)

(8)

7

In the second part, I present the methodology and results of an analysis of 203 cases that untangles the various ways in attribution of cyber operations is communicated in practice. After an explanation of my methodology and first results, this part is further divided in three chapters based on an assessment of the different levels of attribution of nation-state involvement in cyber operations. First, neutral attribution is mostly limited to just a threat assessment and does not mention any state is involved. Second, territorial attribution mentions country of origin but excludes government involvement. Here, the identification of a culprit or server that is not connected to a state allows the victim to prosecute or request action against that culprit. This follows the law enforcement model. Third, nation-state attribution occurs when the attributing authority is putting blame on a foreign country, resulting in principal attribution. In this situation, a government may take national security response measures.

(9)

8

2. Theory:

Attribution of Cyber Operations

As stated in the introduction, the attribution problem in cyberspace may pose a significant problem for decision makers who have to devise an appropriate response to detected cyber operations. But what exactly are the constitutive elements of this attribution problem, and how do they complicate response formulation for decision makers? This section answers these questions by looking at the existing body of literature on the attribution of cyber operations. Before answering these questions, it is important to arrive at a definition of ‘cyber operations’, and to clarify the various language conventions on the objects of attribution in cyberspace.

2.1. D

EFINING

C

YBER

O

PERATIONS

In the cybersecurity literature, the term ‘cyber attack’ is often used as a container concept to include many different types of events in cyberspace. As will be discussed below, this ambiguity is not particularly helpful. Using the term cyber attack puts all events described as such in a frame of conflict and armed attacks with destructive effects. A possible alternative denomination could be a broader category of ‘cyber threats’. This, however, implies a hypothetical – that is, an event that is still to become. Instead, this research’s focus is on attribution of events that are ongoing or completed. This can include cyber attacks, but also other acts that have no offensive or destructive effects, such as cyber espionage.

As a result, the term of use for this thesis is cyber operations. This concept is more satisfying than cyber attacks, because it is broader and includes non-destructive operations like espionage. The Tallinn Manual on the International Law Applicable to Cyber Warfare defines cyber operations as “the employment of cyber capabilities with the primary purpose of achieving objectives in or by the use of cyberspace”.14 This definition, however, is too broad. It provides no specification of ‘objectives’, meaning that all acts are included, even non-offensive common acts such as sending text messages or processing financial transactions

(10)

9

online. So to get a better conceptualization of ‘cyber operations’ we must parse the different categories of operations that will be included in this research.

Arquilla and Ronfeldt’s distinction of ‘Netwar’from ‘Cyberwar’ may serve as a useful starting point.15 They define netwar as “societal-level ideational conflicts waged in part through internetted modes of communication”, or, “information-related conflict at a grand level between nations or societies.”16_{Put briefly, Netwar aims to influence public and/or political opinion of} an adversary through psychological manipulation and information campaigns. In doing so, it uses the Internet and its communication platforms to reach its audience.

In recent years, we have witnessed an increase in reporting about so-called ‘trolling’ and ‘bots’ on social media. Trolling could be generally defined as an act “to antagonize (others) online by deliberately posting inflammatory, irrelevant, or offensive comments or other disruptive content”.17_{This was the case in the run-ups to the U.S. presidential elections and the} Brexit referendum in 2016, as well as the Catalan independence referendum in 2017, where botnets that were allegedly connected to Russian actors spread polarizing (and mostly false) content to instigate political instability.18

In some policy circles this is also known as ‘information warfare’, designed “to sever outside lines of communication so that people get their information only through controlled channels”.19_{The use of the term ‘warfare’ in this case falsely creates an impression of armed} conflict or declared war. Instead, these operations mostly use overt and not strictly illegal or destructive means to reach their ends. Therefore, in this research this category of operations is called Information Operations (IO).

Arquilla and Ronfeldt’s second category of ‘Cyberwar’ refers to “conducting, and preparing to conduct, military operations according to information-related principles.”20 With due regard to the usefulness of this definition as a starting point, it needs some reconsideration. Since the current conceptualization leaves no room for operations outside the military realm, the definition should be expanded to include non-military operations such as espionage and attacks below the threshold of armed conflict.

15_{John Arquilla and David Ronfeldt, “Cyberwar is Coming!”}_{Comparative Strategy}_{12, no. 2 (1993): 27.} 16_{Ibid, 27-28.}

17_{Merriam-Webster}_{, s.v. “troll,” accessed April 18, 2018, https://www.merriam-webster.com/dictionary/troll.} 18_{Hannes Grassegger and Mikael Krogerus, “Fake news and botnets: how Russia weaponised the web,”}_The

Guardian, December 2, 2017, accessed April 18, 2018,

https://www.theguardian.com/technology/2017/dec/02/fake-news-botnets-how-russia-weaponised-the-web-cyber-attack-estonia; Scott Shane and Vindu Goel, “Fake Russian Facebook Accounts Bought $100,000 in Political Ads,” The New York Times (online), September 6, 2017, accessed April 18, 2018,

https://www.nytimes.com/2017/09/06/technology/facebook-russian-political-ads.html. 19_{Grassegger and Krogerus, “Fake news and botnets.”}

(11)

10

Moreover, this category can be further split up between computer network attack (CNA) and computer network exploitation (CNE), both of which can be thought of as subcategories of

computer network operations (CNO).21 As the term suggests, CNA – or cyber attack – refers

to offensive acts, aimed at “the deliberate disruption or corruption by one state of a system of interest to another state”.22 ‘Disruption’ and ‘destroying’ of data are elements that occur in similar definitions elsewhere.23 Therefore, CNA is relatively overt, since it has noticeable effects. CNE – or cyber espionage – on the other hand, is about espionage and reconnaissance,

and considered less disruptive because of the covert nature of the operations.24

The crucial factor that sets CNO apart from IO is that of unauthorized access. Although the source materials used in IO are obtained from illegal or undisclosed sources, its dissemination does not involve strictly illegal activities on computer systems. IO uses computer systems to spread content, as opposed to CNO that has as its goal the intrusion or attack upon computer systems themselves.

The distinction between CNA and CNE is admittedly imperfect, because in practice CNA and CNE methods may be very similar. In Schneier’s words, “the problem is that, from the point of view of the object of an attack, CNE and CNA look the same as each other, except for the end result”.25_{CNE can be a reconnaissance mission as a prelude to a subsequent attack.} Nevertheless, this critique does not render the distinction useless for this research. For attribution it is exactly that end result that one needs to look at. If an operation has had no destructive or disruptive effects, and if there is no additional proof that the operation was meant for such ends, it is assumed here that the operation falls under CNE.

21_{Jason Andress and Steve Winterfeld,}_{Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners} (Waltham, Massachusetts: Syngress, 2014), 54.

22_{Martin C. Libicki,}_{Cyberdeterrence and Cyberwar}_{(Santa Monica: RAND Corporation, 2009), 23.} 23_{“The varied ability of an actor to disrupt computer systems through either concentrated or stealthy digital}

assault”, in: Christopher Whyte, “Ending cyber coercion: Computer network attack, exploitation and the case of North Korea,” Comparative Strategy 35, no. 2 (2016): 97.

24_Libicki,,_{Cyberdeterrence and Cyberwar}_{, 23; Kim Zetter, “Hacker Lexicon: What are CNE and CNA?”}_Wired_, July 6, 2016, accessed March 2, 2018, https://www.wired.com/2016/07/hacker-lexicon-cne-cna/.

25_{Bruce Schneier, “Computer Network Exploitation vs. Computer Network Attack,”}_{Schneier on Security} (Blog), March 10, 2014, accessed March 2, 2018,

(12)

11

2.2. A

TTRIBUTION IN

C

YBERSPACE

Finding an adequate response to cyber operations has been an issue in both academic and policymaking circles worldwide for years. In order to arrive at such a response, attribution, loosely defined as “to explain (something) by indicating a cause”,26_{is considered key. In an} early study of cyber attack attribution, Wheeler and Larsen define attribution as an act in which “the defender […] wants to identify or locate the attacker or at least an intermediary so a targeted response can be employed.”27_{More specifically, Brenner argues that attribution has to} answer two questions: who is the one responsible for the attack (attacker-attribution), and what

was the motive of the attack (attack-attribution). As she puts it: “The first issue goes to assigning responsibility for committing an attack. The second goes to assigning responsibility for

responding to an attack.”28

In Brenner’s analysis, the answer to the second question is largely dependent on the answer to the first question: If the culprit is a nation-state, one may expect a political or military response, whereas individual cybercriminals fall in the realm of law enforcement. However, in the context of the attribution problem, identifying the who is not always directly possible, and thus requires some guesswork about operation motives. Moreover, as Guitton notes, “determining if an incident is an act of crime or of terrorism rests solely on knowing whether the motives behind it are political. Again, the motives cannot be known before at least partial attribution. In such a model, the motive for the attack is simultaneously the solution to the problem and the variable on which the problem depends”.29

Despite this limitation, the identification processes on the one hand versus response

processes on the other, as based on Brenner’s distinction, both deserve a closer look to get a better appreciation of the complexities decision makers face in this respect.

26_{Merriam-Webster}_{, s.v. “attribute,” accessed February 8, 2018,} https://www.merriam-webster.com/dictionary/attribute#h2.

27_{David A. Wheeler and Gregory N. Larsen,}_{Techniques for Cyber Attack Attribution}_{(Alexandria, VA: Institute} for Defense Analyses, 2003), 2.

28_{Brenner, “At Light Speed”, 405.}

(13)

12 2.2.1. IDENTIFICATION

Looking at attribution as a means to identify someone or something as the source of the attack, Clark and Landau suggest that there are three general categories of attribution: the machine, the

person, and the aggregate identity (or sponsor).30 This categorization corresponds to Lin’s distinction between the machine, the perpetrator (or intruder), and the adversary (see Table 1 below).31

The first level of attribution aims to trace back an attack to a technical point of origin, being a computer or server IP address. According to Clark and Landau this is a ‘starting point for attribution’, thus implying that actual attribution should go beyond merely technical forensics and machine identification.32 Indeed, it is hard to call a computer to court.

Boebert, who distinguishes technical attribution from human attribution, underscores this point.33 Technical attribution is defined as “analyzing malicious [activity], and using the results of the analysis to locate the node which initiated or is controlling the attack.”34_Boebert then defines human attribution as “taking the results of technical attribution and combining it with other information to identify the person or organization responsible for the attack.”35 Again, the goal appears to be to get from technical to human attribution.

The second and third levels of attribution are both categories of human attribution and most relevant in the context of this study, because it is at these levels that attribution goes beyond digital forensics to identify an entity that can be held accountable – either a (group of) individual(s) pressing the keys, or an ultimately responsible directing entity. This distinction roughly correlates with the theoretical distinction between an agent (an individual or operational entity executing given instructions) and a principal (an entity giving instructions to the agent). The next two sections will look at these two levels of attribution, how they relate to one another, and what obstacles may be encountered.

30_{David Clark and Susan Landau, “Untangling Attribution,” in}_{Proceedings of a Workshop on Deterring} Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (Washington, D.C.: The National Academies Press, 2010), 37.

31_{Herbert Lin, “Attribution of Malicious Cyber Incidents: From Soup to Nuts,”}_{Journal of International Affairs} 70, no. 1 (2016): 80.

32_{Clark and Landau, “Untangling Attribution,” 26.}

33_{W. Earl Boebert, “A Survey of Challenges in Attribution,” in}_{Proceedings of a Workshop on Deterring} Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (Washington, D.C.: The National Academies Press, 2010), 43.

(14)

13

Boebert36 Clark & Landau37 Lin38

Technical Machine Machine

Human Person Perpetrator Aggregate Identity Adversary Table 1: Levels of Identification

Agent Attribution

Agent attribution is about identifying a physical entity – whether it is an individual or group – that is directly ‘pressing the keys’. Clark and Landau suggest that IP addresses are a valuable starting point to identify a physical agent behind malicious internet traffic: “IP addresses are usually allocated in blocks to Internet service providers (ISPs), corporations, universities, governments and the like. Normally, the ‘owner’ of a block of addresses is a public record, so one can look up an address to see who it belongs to.”39

However, this overlooks the fact that IP addresses can be manipulated or hidden in various ways. Wheeler and Larsen list some of these methods.40 First, IP addresses can be ‘spoofed’, simply meaning that the sending address is forged. Second, ‘reflector hosts’ in which the attacker uses the victim’s sending address to send a request to a host server. Third, protocols sometimes have loopholes that can be exploited. Fourth, attackers may use ‘laundering hosts’ as either ‘stepping stones’ or ‘zombies’ to attack a third party. This method is often used in Distributed Denial of Service (DDoS) attacks. Finally, attribution is complicated because attacks can use many different timescales, varying from mere milliseconds to weeks or months. In addition, Boebert lists several other technologies that may hide information about the sender’s identity or location, such as the use of Virtual Private Networks (VPNs), Onion Routing (TOR), or Dynamic Host Control Protocols (DHCPs).41 A recent addition to this list could be cryptocurrency, such as Bitcoin. This technology is popular for ransomware attacks – hijacking victims PC’s and servers to demand a compensation to be paid using cryptocurrency – because they facilitate anonymous payment.42

36_{Boebert, “Challenges in Attribution,” 43.} 37_{Clark and Landau, “Untangling Attribution,” 37.} 38_{Lin, “Attribution of Malicious Cyber Incidents,” 80.} 39_{Clark and Landau, “Untangling Attribution,” 33.}

40_{Wheeler and Larsen,}_{Techniques for Cyber Attack Attribution}_{, 3.} 41_{Boebert, “Challenges in Attribution,” 43-46.}

(15)

14

Besides anonymity-enhancing technologies, a second problem that is often put forward in the literature is the fact that many incidents originate in another country and attacks often employ ‘multi-stage’ methods, directing traffic across multiple servers in multiple countries.43 Such tactics are especially noticeable with DDoS attacks, which make use of ‘botnets’ as a platform to launch their attacks indirectly. The ‘recruitment’ of such bots – i.e. spreading of malware across third-party machines prior to attack – often occurs in multiple sequences, spreading to thousands of nodes in many different countries.

Beyond severely complicating the tracing of the initial attacker, the routing of traffic through multiple jurisdictions makes things even more complicated. The investigator might not have permission to search servers outside its jurisdiction; the host country might have other legal standards of what it considers legitimate or illegitimate traffic; and investigation becomes fragmented and decentralized. Not only does this pose an obstacle to successful attacker identification, it also makes retaliatory action less feasible.

A third limitation to digital forensic investigation are privacy regulations.44_{As Kello} notes, obtaining only an IP address is insufficient for a punitive response.45_{Historically, an} IP-address host’s name and location could be retrieved via the so-called ‘whois’ functionality, administered by a Domain Name System (DNS) registrar. However, privacy regulations rendered this function almost obsolete, and legal procedures to obtain whois data can be time- and labor-intensive.46 More specifically, the whois functionality is close to its end because of its incompatibility with the pending General Data Protection Regulation (GDPR) of the European Union (EU), enforced since May 25, 2018.47

Other privacy problems would include the permission required to access data on personal drives or breaching encryption. The shooting incident at San Bernardino, CA, in December 2015 is an example in case where the FBI wanted access to the shooter’s iPhone to obtain information about possible connections to terrorist networks, but Apple refused to do so, fearing it would erode consumer privacy protection principles.48

43_{William J. Lynn III, “Defending a New Domain: The Pentagon’s Cyberstrategy,”}_{Foreign Affairs}_{89, no. 5} (September 2010): 99; Lucas Kello, “The Meaning of the Cyber Revolution: Perils to Theory and Statecraft,” International Security 38, no. 2 (2013): 33; Clark and Landau, “Untangling Attribution,” 31.

44_{Kello, “The Meaning of the Cyber Revolution,” 33; Clark and Landau, “Untangling Attribution,” 38; Boebert,} “Challenges in Attribution,” 43.

45_{Kello, “The Meaning of the Cyber Revolution,” 33.} 46_{Boebert, “Challenges in Attribution,” 45.}

47_{Dutch IT-Channel, “WhoIS nadert zijn einde,”}_{Dutch IT-channel}_{(website), April 17, 2018, accessed April 19,} 2018, https://dutchitchannel.nl/597903/whois-protocol-voldoet-niet-aan-gdpr.html.

(16)

15

A fourth and final problem has to do with authentication. A famous 1993 cartoon that said “on the Internet, nobody knows you’re a dog” (below) illustrates an important distinction between identity and authentication.49 Singer and Friedman define identification as “the act of

mapping an entity to some information about that entity”, as opposed to authentication, which is “the proof of the identification.”50_{This proof can be something you ‘know’ (e.g. a password),} something you ‘have’ (e.g. a bankcard), or something you ‘are’ (biometrics).51_{Therefore, even} if one has been able to associate malicious activity with an identity, there is still a chance that the credentials were stolen, documents were forged, or biometric identifiers were compromised.52 As a result, Singer and Friedman say, “relying on the IP address would be like relying on license plates to identify drivers.”53

The problems mentioned here – anonymity, jurisdiction, privacy, and authentication – do not show that attribution is impossible, but they do demonstrate that agent attribution based on technical details alone is inherently limited. Evidence such as IP addresses may provide a useful piece of a puzzle to learn more about the applied methods and geographic locations, but for a more complete picture of the aggressor one will need additional information from other sources. Even if an individual culprit is identified, another remaining challenge is to verify potential external influences and motives, such as the involvement of a state sponsor.

Image 2: Parody of the 1993 New Yorker cartoon54

49_{Singer and Friedman,}_{Cybersecurity and Cyberwar}_{, 31-33.} 50_{Ibid, 31.}

51_{Ibid, 32.} 52_Ibid. 53_{Ibid, 33.}

(17)

16 Principal Attribution

Principal attribution is about identifying the entity, organization or state sponsor that is ultimately responsible for an incident because it is instructing or supporting an agent. Healey emphasizes the importance of principal attribution:

“National policy makers often need to know the responsibility for an attack, not the technical attribution, to drive their decisions and responses. ‘Who is to blame?’ can be more important than ‘who did it?’”55

Identifying the one responsible is hard for several reasons. First, there is the notion that attribution in cyberspace suffers from a ‘large-N’ problem, largely due to the relatively low barriers for entry for other actors.56_{Kello argues that this problem causes a ‘power dispersion’} to the disadvantage of states, benefiting non-state actors and individuals.57_{Further still, Farwell} and Rohozinski’s analysis of the 2010 Stuxnet attack notes that cybercrime plays a fundamental role in the development and sale of ‘off-the-shelf’ offensive tools on the dark web.58_This technological proliferation increases the pool of suspects from which one has to fish, making the identification of a culprit more difficult. As Nye’s explanation in the introduction illustrated, in the case of nuclear strike the pool of suspects is relatively small. Even launching kinetic military strikes requires significant resources that are available to everyone. In cyberspace, however, code is easy to replicate and, in theory, anybody with a computer could write lines of code for nefarious purposes.

Another fundamental problem for attribution in cyberspace is assessing the involvement of a state sponsor. This is mostly because of the use of ‘proxies’, defined by Maurer as actors that “act as intermediaries that conduct or directly contribute to an offensive cyber action that is enabled knowingly, whether actively or passively, by a beneficiary.”59 The use of proxy actors is as old as warfare itself and not unique to cyberspace, but because of the ease of

55_{Jason Healey, “The Spectrum of National Responsibility for Cyberattacks,”}_{Brown Journal of World Affairs} 18, no. 1 (2011): 57.

56_{Kello, “The Meaning of the Cyber Revolution,” 33; Emilio Iasello, “Is Cyber Deterrence an Illusory Course of} Action?” Journal of Strategic Security 7, no. 1 (2014): 59.

57_{Kello, “The Meaning of the Cyber Revolution,” 33.}

58_{James P. Farwell and Rafal Rohozinski, “Stuxnet and the Future of Cyber War,”}_Survival_{53, no. 1 (2011).} 59_{Tim Maurer,}_{Cyber Mercenaries: The State, Hackers, and Power}_{(Cambridge: Cambridge University Press,}

(18)

17

proliferation of cyber offensive technology, it is considered particularly receptive to proxy strategies.60

There are different ways to categorize state-proxy relationships. An overview of these categorizations is presented in Table 2 at the end of this section. Boebert identifies four levels of state involvement that may serve as a point of departure for analysis: mounted, state-sponsored, state-tolerated, and non-state non-sponsored.61 Each has a different level of state responsibility, which is also found in international law principles, as presented by Guitton and Korzak.62

The first category of state-mounted operations originates from official governmental entities, most notably armed forces or intelligence agencies. Guitton and Korzak note that state responsibility for these types is laid down in Articles 4 and 5 on the Responsibility of States for Internationally Wrongful Acts (ARSIWA), stating that a targeted state can hold another state responsible if it finds that the perpetrator is a military or civilian branch of government.63_This also includes “the actions of persons or entities empowered by national law to exercise some degree of governmental authority”.64_{As Boebert states, in these cases “attribution becomes} obvious,” because these types of operations usually occur in the context of an ongoing conflict.65 For purpose if interstate (military) conflict, states are increasingly developing ‘Cyber Commands’ and offensive cyber capabilities that operate under a military jurisdiction.66

In the second category, state-sponsored operations are conducted by non-state actors, but they act under some sort of active direction or with the support from a state sponsor. Such actors are sometimes called Advanced Persistent Threats (APTs). Singer and Friedman define an APT as “a cyberattack campaign with specific targeted objectives, conducted by a coordinated team of specialized experts, combining organization, intelligence, complexity, and

60_{Kello, “The Meaning of the Cyber Revolution,” 36; Justin Key Canfil, “Honing Cyber Attribution: A} Framework for Assessing Foreign State Complicity,” Journal of International Affairs 70, no. 1 (2016): 220. 61_{Boebert, “Challenges in Attribution,” 51; Healey further elaborates on this work and provides a list of ten}

possible relationships, varying from state-prohibited (i.e. the state ‘will help stop the third-party attack’) to state-integrated (i.e. the state ‘integrates third-party attackers and government cyber forces, with common direction and coordination’). He ranks these relationships based on their level of ‘ignoring’, ‘abetting’, and ‘conducting’ the attack. The first entails the refusal or incapability to respond to an attack, thus forming a permissive environment for malicious third parties. The second occurs when states deliberately encourage or support third parties. The third factor designates the extent to which the operations are conducted by state organs or based on a national government decision. Healey, “The Spectrum of National Responsibility for Cyber Attacks,” 62.

62_{Clement Guitton and Elaine Korzak, “The Sophistication Criterion for Attribution: Identifying the Perpetrators} of Cyber-Attacks,” The RUSI Journal 158, no. 4 (2013): 66.

63_Ibid. 64_Ibid.

65_{Boebert, “Challenges in Attribution,” 51.}

(19)

18

patience”.67_{According to cybersecurity company FireEye “APT attackers receive direction and} support from an established nation state”.68_{Maurer subdivides this category in ‘delegation’ and} ‘orchestration’.69_{Delegation occurs when the state sponsor (or ‘beneficiary’) has ‘effective} control’ over its proxy actor. Orchestration is the act of supporting a proxy with less direct control or no specific instructions. State responsibility for such acts is reflected in ARSIWA Article 8 and the case concerning Military and Paramilitary Activities in and Against Nicaragua (Nicaragua v. USA), that set high standards of evidence for ‘strict control’ and ‘effective control’ over ‘conduct directed and controlled by a state’.70

The third category is state-tolerated operations in which the agent operates independently from the state but may have compatible or aligning interests with that state, and the state deliberately refuses to take action.71 Maurer calls this category ‘sanctioning’, which sets itself apart from the aforementioned two types because the relationship is characterized by

passive support (‘omission’), as opposed to the active role (‘commission’) assumed by the principal in the other two.72_{State responsibility for such activities is stipulated by the} International Court of Justice in the Corfu Channel Case, stating that states have an “obligation

not to allow knowingly its territory to be used for acts contrary to the rights of other states.”73 Fourth, non-state non-sponsored operations are a diverse group of threats that can have different motivations. Actors in this group include script kiddies, cyber terrorists, hacktivists, and cyber criminals. These actors have no sponsor and could be prosecuted in their host state. Following the same principle mentioned in the Corfu Channel Case above, host states have an obligation to take action against such actors on their territory or within their jurisdiction. Nevertheless, these actors may still flourish in states that do not have the capacity or a desire for prosecution.74 In addition, it is also possible that the conduct that the victim country considers aggressive or illegal is allowed in the host state.

67_{Singer and Friedman,}_{Cybersecurity and Cyberwar}_{, 293.}

68_{“Advanced Persistent Threat Groups,”}_FireEye_{(website), accessed March 5, 2018,} https://www.fireeye.com/current-threats/apt-groups.html.

69_Maurer,_{Cyber Mercenaries}_{, 20.}

70_{Guitton and Korzak, “The Sophistication Criterion,” 66; International Court of Justice,}_{Case Concerning} Military and Paramilitary Activities in and Against Nicaragua (Nicaragua v. United States of America) (Merits), June 27, 1984, para. 115, accessed May 22, 2018, http://www.icj-cij.org/files/case-related/70/070-19860627-JUD-01-00-EN.pdf.

71_{Boebert, “Challenges in Attribution,” 51.} 72_Maurer,_{Cyber Mercenaries}_{, 125.}

73_{Guitton and Korzak, “The Sophistication Criterion,” 66; International Court of Justice,}_{The Corfu Channel} Case(Merits), April 9, 1949, p. 22, accessed May 22, 2018, http://www.icj-cij.org/files/case-related/1/001-19490409-JUD-01-00-EN.pdf.

(20)

19

Assuming agent-attribution is possible, the relevance of principal-attribution varies per category. For the first type, principal-attribution does not pose a problem – identifying the agent is the same as identifying the principal. For the fourth type, principal-attribution is also less of an issue, since it is less likely that the agent receives protection from a sponsoring state. Principal-attribution becomes more relevant for the third type, where it appears that the agent at least receives some passive support by a sponsor. An important condition for a case to become one of the third type as opposed to the fourth type is that the operation has to violate a commonly agreed rule or principle. Perfect principal-attribution in the third type would demand a very high standard of evidence to demonstrate effective or strict control. This high standard of evidence permits the principal a degree of ‘plausible deniability’. Guitton defines plausible deniability as a situation in which “it is not possible for a victim to conclusively prove the involvement of the entity they suspect of having instigated an attack.”75_{This is especially true} if the state or non-state actor directing the attack tries to hide such a relationship on purpose. An overview of these relationship types is presented in Table 2 on the next page.

Based on the literature so far it is possible to draw a conclusion that attributing cyber operations with one hundred percent certainty is not strictly impossible but still very unlikely. For agent attribution, it requires conclusively linking technical evidence to a physical entity, and for principal attribution, it requires conclusively identifying a principal-agent relationship. These objectives are complicated not only because of the Internet’s technical features, but also because of the involvement of non-state actors. Therefore, attribution would require some tolerance for uncertainty. This begs the question if it is possible to act on less than complete certainty, and if so, how.

town is the cyber-crime capital of the world – where hundreds of fraudsters rake in millions from gullible online shoppers,” Daily Mail, November 21, 2014, accessed May 22, 2018,

http://www.dailymail.co.uk/news/article-2840697/The-scourge-Scamville-Romanian-town-cyber-crime-capital-world-hundreds-fraudsters-rake-millions-gullible-online-shoppers.html.

(21)

20

76_{Boebert, “Challenges in Attribution,” 51.}

77_{Healey, “The Spectrum of National Responsibility for Cyberattacks,” 61-63.} 78_Maurer,_{Cyber Mercenaries}_{, 20.}

79_{Guitton and Korzak, “The Sophistication Criterion,” 66.}

Boebert76 _Healey77 _Maurer78 _{Guitton & Korzak}79 _{Agent-Principal Relationship}

State-mounted:

“Conducted by the armed forces or covert action agencies of a nation state.”

Conducting:

“Executing a decision made by the national government or as a result of attacks carried out by elements of their government without official approval.”

--

ARSIWA Arts. 4 and 5: “Conduct of organs of a State”; “Persons or entities empowered by national law to exercise some degree of governmental authority.”

Type 1:

Agent-attribution automatically leads to principal-attribution.

State-sponsored:

“Involvement of non-state actors”; “Relationship between an

identified non-state actor and some state.”

Delegating:

“The beneficiary has significant, at least overall or effective, control over the proxy.”

ARSIWA Art. 8 jo. Nicaragua v. USA para. 115:

“Conduct directed or controlled by a State”; “Effective control”

Type 2:

Principal-attribution needs to establish an active supporting relationship with agent, which requires a high standard of evidence.

Abetting:

“Directly or indirectly encouraging or supporting the attack.”

Orchestrating:

“The state supports the proxy without necessarily providing specific instructions.” State-tolerated:

“So-called ‘patriotic hackers’ of a particular nation independently launch attacks whose nature and timing coincide with the interests of that nation.”

Ignoring:

“Refusing to acknowledge the attack.”

Sanctioning:

“The state provides an enabling environment for non-state actors’ malicious activity by deliberately

turning a blind eye.” Corfu Channel Case p. 22: _{“State’s obligation not to allow} knowingly its territory to be used for acts contrary to the rights of other States.”

Type 3:

Principal-attribution becomes relevant when the host states refuses to take action, which establishes a passive relationship.

Non-state non-sponsored:

“Not sponsored, nor independently acting in the interest of a particular state.”

-- --

Type 4:

Principal-attribution is irrelevant as long as the host state is willing to take action.

(22)

21 2.2.2. RESPONSE

The ability to respond with less than hundred percent certainty, the academic literature suggests, is largely dependent on what nature the operation is interpreted to be. A distinction that is frequently made in the literature is one between a law enforcement approach and a national security approach.80 According to Guitton, attribution is not a ‘problem’, but a “two-pronged political process”, one following a legal path, the other adopting national security principles.81 These two approaches differ significantly in their operating principles, as is summarized in Table 3 below. The next section will provide further explanation on the differences between these two approaches, followed by an assessment of the factors that determine which approach applies.

Law Enforcement National Security

Issues at stake Individual: Criminal cases

Political: National threats

Authority Judiciary Executive

Evidence Digital forensics and public

evidence (All-Source) Intelligence

Verification Binary:

Beyond reasonable doubt

Degree:

Estimative probability

Timing Irrelevant Urgent

Response Criminal charges DIME(LE)

Attribution level Individual Aggregate entity

Table 3: Law Enforcement vs. National Security Approach to Attribution

80_{Brenner, “At Light Speed,” 429; Clark and Landau, “Untangling Attribution,” 36; Guitton,}_{Inside the Enemy’s} Computer, 30.

(23)

22 Approach: Law Enforcement versus National Security

In a typical case of (domestic) crime, the attribution process would be fairly straightforward and linear to the common observer. Guitton summarizes the process in four steps: ‘identifying the criminal conduct’, ‘gathering forensic material’, ‘turning it into evidence’, and ‘presenting it before a court of law’.82_{Rid and Buchanan similarly describe the law enforcement process as} starting with identifying a crime or offense, then investigation, after which collected evidence is combined into a case and presented before a jury where ‘the final question of attribution will be settled’.83

Brenner notes that criminal prosecution models often hinge on determining a physical location, being either a point of occurrence of crime or a point of origin. However, she notes, in cyberspace a ‘place’ is difficult to determine, because “cyberspace eliminates the need for physical proximity between attacker and victim, and thereby creates the potential for increased differentiation between point of attack origin and point of occurrence.”84_{Moreover, as the} previous section on identification has concluded, finally settling attribution at a standard that is required before a criminal court is rarely possible. It is for this reason that some have suggested adopting a looser approach to attribution based on national security principles, or at least a combination of the two.85 Without delving too deep into the legal-constitutional implications of such an approach, several crucial characteristics set a national security approach apart from a law enforcement approach.

First, the two approaches have a different decision making authority for settling attribution and determining the response. In the case of law enforcement, the ultimate authority rests with the judicial branch of power – at least in (liberal) democracies – whereas the executive branch is in charge on attribution in national security cases.86 As is explained in detail below, this has important procedural implications: the former decides based on codified rules of law, while the latter has more freedom to decide, if the constitution allows it.

Second, the type of evidence used for attribution varies. In criminal cases, attribution is generally based on (forensic) evidence that has to be disclosed to the other party and the court.87 Clark and Landau add nuance to this point, saying that evidence in cybercrime cases is more

82_Guitton,_{Inside the Enemy’s Computer}_{, 47.}

83_{Thomas Rid and Ben Buchanan, “Attributing Cyber Attacks,”}_{Journal of Strategic Studies}_{38, no. 1-2 (2015):} 5.

84_{Brenner, “At Light Speed,” 412.}

85_{Brenner, “At Light Speed,” 429; Clark and Landau, “Untangling Attribution,” 36; Guitton,}_{Inside the Enemy’s} Computer, 30.

(24)

23

likely to be of physical nature, rather than a ‘forensic quality computer-based identity’.88 The national security approach is different in the sense that it may use less conventional intelligence methods. According to Rid and Buchanan, successful attribution depends on the ability of the investigator to combine different types of (all-source) intelligence and create a picture that is as complete as possible – an ability they call ‘aperture’.89 Obviously, better intelligence collection and analysis leads to better attribution, which is why some scholars consider successful attribution to be mostly a ‘resource problem’.90_{A related issue regarding the use of intelligence} for attribution is that of source protection. Disclosing intelligence can harm those sources and disqualify them for future use, and the use of illegal methods may lead to a political backlash.

Third, and quite fundamental, is the different verification principle (or standard of evidence) adopted. In criminal cases, attribution is considered a ‘binary’ affair – it is either ‘solved’ or not.91_{This either-or decision is made by the judiciary, which has to decide if the} evidence provided has established a causal link beyond reasonable doubt. In any case, the suspect is considered innocent until proven otherwise. When talking about cyber attribution, this principle is often criticized by scholars that opt for a national security-oriented approach. Rid and Buchanan substantiate their punch line “attribution is what states make of it”, by arguing “attribution is a matter of degree”.92 Even though on a technical level it may not be possible to pinpoint an aggressor with complete certainty, technical attribution is only part of the picture. On an operational and strategic level, attribution also entails enriching the technical elements with political context and intelligence from other sources to make an informed estimation.93 A related argument is presented by Lupovici, who argues “the effects of anonymity on deterrence are derived from social conventions, which legitimize retaliations only if the defender is able to fully identify the source of attack.”94_{What this suggest is that a state} may – or in some cases must – take retaliatory measures if it has strong suspicions, regardless if it has not fully established a technical link.

Fourth, the issue of timing is less relevant in criminal prosecutions, contrary to national security issues where time pressure is paramount. The collection of evidence and building a

88_{Clark and Landau, “Untangling Attribution,” 39.} 89_{Rid and Buchanan, “Attributing Cyber Attacks,” 11-12.}

90_{Jon R. Lindsay, “Tipping the scales: the attribution problem and the feasibility of deterrence against}

cyberattack,” Journal of Cybersecurity 1, no. 1 (2015): 53; Rid and Buchanan, “Attributing Cyber Attacks,” 12.

91_{Rid and Buchanan, “Attributing Cyber Attacks,” 5.} 92_{Ibid, 4, 7.}

93_{Ibid, 8-9.}

(25)

24

case for attribution is time consuming. Because legitimacy for a retaliatory response is assumed to decrease over time, an attack victim may have to blame based on incomplete evidence, or risk losing an opportunity for retaliation.95 Moreover, international criminal proceedings are considered less attractive because of the attribution problem and the time it may take to get a verdict.96 If the objective is to have a quick remedy, whether it is mitigation or retaliation, nation-states are more likely to depend on their national security instruments.

Fifth, law enforcement and national security approaches are also set apart by their means of response to attribution. In criminal cases, suspected attribution is usually communicated through criminal charges, and potentially confirmed by a conviction before a court. In national security cases, the available response options are greater. These responses can be categorized using the DIME(LE) model:97 Diplomatic measures include high-level statements and diplomatic sanctions; Informational measures may include public naming and shaming, and other means of public information dissemination; Military measures can be thought of as conventional displays of power and kinetic military force; Economic measures are mostly economic sanctions such as the freezing of assets or trade embargoes. Finally, perhaps counterintuitively, law enforcement is also a possible response strategy for national security. As Maurer notes, in some cases public criminal charges may serve as an information channel for naming and shaming strategies.98

Sixth and finally, criminal prosecutions are generally targeting some specific individual, whereas national security attribution cases are mostly aimed at the level of an ‘aggregate identity’.99 This circles back to the question of levels of attribution as discussed in the sections on agent and principal attribution. What it implies is that national security processes operate on the level of principal attribution, while law enforcement functions on the level of agent attribution.

In short, this section has distinguished the law enforcement and national security approach based on six operational features identified in the literature: decision making authority, type of evidence, standard of verification, urgency, response mechanisms, and attribution level. This leaves unanswered the question when one process is preferred over another, or in other words, when something becomes an issue of national security.

95_{Lynn III, “Defending a New Domain,” 99; Kello, “The Meaning of the Cyber Revolution,” 33; Lupovici, “The} ‘Attribution Problem’,” 329; Nye, “Deterrence and Dissuasion in Cyberspace,” 51.

96_{Farwell and Rohozinski, “Stuxnet and the Future of Cyber War,” 33.} 97_Maurer,_{Cyber Mercenaries}_{, 139.}

98_{Ibid, 142.}

(26)

25 Subject: Criminal Cases versus National Threats

Turning to the question when something transfers from being ‘mere’ crime to a threat to national security, Guitton identifies five factors that may be of influence: severity of the incident; political character of the target; point of origin; operation means; and political context.100 First, highly severe and publicized incidents may push governments to act even though there is incomplete evidence. However, it seems unlikely that victim states have a predefined ‘threshold’ that needs to be crossed in order to invoke a national security response. Furthermore, as Lindsay argues, if such a threshold would be explicit, it may invite others to commit operations just below that threshold, where it would avoid retaliation.101

The second influencing factor is the type of operation target. Attacks and operations on governmental entities are said to be more likely to provoke a national security response, as is also the case for crucial organizations such as defense contractors or critical infrastructure companies.102_{At face value, this seems plausible, although there are cases of operations on} private companies that provoked an official governmental response. Examples include the 2010 ‘Aurora’ espionage operation against Google and the 2014 attacks on Sony Entertainment.103

Third, if the point of origin is found to be in another country it may also lead to a national security response, especially if that country has an adversarial relationship with the victim according to Guitton.104 However, this criterion is not that easy to confirm. It is possible to look at Brenner’s “internal/external threat dichotomy” as a point of departure.105_{Typically, law} enforcement bodies are purely responsible for maintaining internal order, thus mostly acting against criminals within their territorial jurisdiction, whereas threats to external order would typically fall under the purview of national security.106 However, as was explained in the previous section, this internal-external threat dichotomy is less appropriate in cyberspace where a point of origin can be ambiguous and dispersed. Nevertheless, while looking for a point of origin (using law enforcement procedures), traffic may be traced to a foreign country. If that process is inconclusive on attribution or if an aggressor has been identified, the victim may

100_Guitton,_{Inside the Enemy’s Computer}_{, 39.} 101_{Lindsay, “Tipping the Scales,” 63.} 102_Guitton,_{Inside the Enemy’s Computer}_{, 41.}

103_{U.S. Department of State,}_{Statement on Google Operations in China}_{, January 12, 2010, accessed April 20,} 2018, https://2009-2017.state.gov/secretary/20092013clinton/rm/2010/01/135105.htm; U.S. White House, Statement by the Press Secretary on the Executive Order Entitled ‘Imposing Additional Sanctions with Respect to North Korea’, January 2, 2015, accessed April 20, 2018,

https://obamawhitehouse.archives.gov/the-press-office/2015/01/02/statement-press-secretary-executive-order-entitled-imposing-additional-s.

104_Guitton,_{Inside the Enemy’s Computer}_{, 41-42.} 105_{Brenner, “At Light Speed,” 429.}

(27)

26

request forensic cooperation or enforcement cooperation, respectively. When the other party refuses such cooperation, Guitton notes, the case will transform from crime to national security.107

Fourth, if the used methods in the operation are considered highly sophisticated, it will be more likely to provoke a national security response.108 This assumption is based on the notion that building highly sophisticated malware tools requires an amount of resources that are only available to a nation-state. This factor is also criticized. Some have pointed to the role of cyber criminals and black markets, where governments can buy off-the-shelf vulnerability exploit kits.109 In another article co-authored with Korzak, Guitton himself also mentions the limitations of the ‘sophistication criterion’, saying that it lacks definition and does not get close to the international legal requirements for establishing state involvement.110

Finally, the perceived political motives of the operation are also considered important.111 It is not possible to use motives as evidence in criminal cases, but they may provide circumstantial evidence for national security threats. However, guessing whether the motive behind an attack or operation was political or not brings us back to the aforementioned issue by Guitton that this requires at least partial attribution for interpretation.112

In sum, this list shows that there is no clear-cut approach to determining an appropriate response to cyber operations. It seems reasonable to assume that the factors mentioned above influence decision making in their own respect, but we cannot speak of a flip switch model. Instead, it is more appropriate to conclude that such a decision is highly context dependent and based on policy makers’ judgments.

To create a better appreciation of the dilemma the decision maker faces, it is possible to connect the two approaches to the four types of principal-agent attribution presented in the previous sections. In the first type, a state-mounted operation, there is a clear direct link between the agent and the sponsor, because the agent is the sponsor. Responding to such an attack would demand a national security response. For the fourth type, regardless whether agent-attribution is successful or not, a law enforcement response is most likely as long as no passive or active principal is in play.

107_Guitton,_{Inside the Enemy’s Computer}_{, 42.} 108_Ibid.

109_{Farwell and Rohozinski, “Stuxnet and the Future of Cyber War,” 25-26.} 110_{Guitton and Korzak, “The Sophistication Criterion,” 62.}

(28)

27

When criminal investigations are stranded because of incapacity or reluctance of cooperation, things get messier. For both the second and third types of state-sponsored and state-tolerated operations, it would be likely to expect increased involvement by national security authorities. However, because of the lack of clear criteria it may be appropriate to think of this area between the first and fourth type as a spectrum, where increased suspicions of nation-state involvement is increasingly likely to provoke national security responses. This suspicion, in turn is influenced by the five aforementioned factors: severity, target type, point of origin, sophistication, and political context. (See Table 4 below.)

State Involvement Principal-Agent Type Response Type

State-Mounted Type 1: Integrated National Security

State-Sponsored Type 2: Active support Spectrum based on judgment/suspicion of nation-state involvement.

State-Tolerated Type 3: Passive support

No state involvement Type 4: No support Law Enforcement Table 4: State Involvement and Response Types

To summarize, this section on attribution responses has sought to explain how national security threats are more likely to call for action based on imperfect attribution. Deciding whether a cyber attack or operation is a national security threat or an act of cybercrime is most likely to be a political judgment, based on the suspected (active or passive) involvement of a (state) sponsor. In Guitton’s words:

“It will be up to a state official to make the political decision of attribution and to answer the following question: is the cost of misattributing the attack to the claimed group, and taking retaliatory measures against it, greater than the cost of not attributing the attack and not responding to it?”113

This brings us to the next question of communicating attribution.

(29)

28 2.2.3. COMMUNICATION

Rid and Buchanan state, “Communicating attribution is part of attributing.”114_{Communication} of findings based on intelligence or estimative probability is a challenge for the defender in this case, as incomplete claims may face plausible deniability on the side of the attributed party. Nye and Schneier explain that there are generally three types of audiences with regard to attribution.115 First, there is the ‘I know X did it’: the audience in this case is the defender itself. This can be a national government, private company or other entity. This actor wants to make sure that it makes a correct assessment of the nature and origin of the threat. Convincing oneself generally falls under the interpretation challenge of the attribution problem, as outlined in the previous chapter. The second level is about ‘convincing X I know X did it’. This is more complicated than convincing oneself. The victim may be convinced that a certain actor is responsible, but confronting that actor may require the victim to disclose sensitive intelligence sources and methods. Third, ‘convincing the world or other third parties that I know X did it’ is most challenging. The audience at this level is the wider public.

Closer analysis of the first two categories is difficult. Internal and bilateral communication about attribution of cyber operations occurs behind closed doors, so these processes are rarely visible to the outside world. Communicating with the public audience, obviously, is overt. Turning to the conclusions of the previous section about response, this distinction between overt and covert communication is also relevant. Why should anyone want to go public about attribution? Moreover, in doing so, how does this occur? The next two subsections will briefly look at these two questions, respectively.

Motives: Credibility and Legitimacy

If action based on imperfect attribution is possible, part of attribution is also garnering trust and authority in order to convince the audience of the ‘judgment’.116 Failing to do so may induce ‘audience costs’ upon the one communicating blame. The concept of ‘audience costs’, as introduced in a domestic context by Fearon in 1994, is defined as costs that “arise from the action of domestic audiences concerned with whether the leadership is successful or

114_{Rid and Buchanan, “Attributing Cyber Attacks,” 26.}

115_{Nye, “Deterrence and Dissuasion in Cyberspace,” 51; VICELAND, “The Attribution Problems in Cyber} Attacks.”